Enforce uniform MFA to company-owned resources

Business problem

Compromised passwords are a major source of data breaches. Once a password is
compromised, the hacker has the same permissions to access corporate data as the employee.

Multifactor authentication (MFA) is an important tool in protecting corporate
resources. MFA, also called 2-step verification (2SV), requires users to
verify their identity through something they know (such as a password) plus
something they have (such as a physical key or access code).

To protect user accounts and data, your company has decided that all users must
authenticate themselves using 2SV to access corporate resources.

Solutions

If Cloud Identity is your identity provider (IdP), you can implement 2SV in
several ways. If you use a third-party IdP, check with them about their
2SV offering.

You can select different levels of 2SV enforcement:

Optional—employee decides if they will use 2SV.

Mandatory—employee chooses the 2SV method.

Mandatory security keys—employee must use a security key.

Security keys

Using security keys offers the strongest security among 2SV methods. Users
typically insert this physical key into a USB port on a computer. When
prompted, a user touches the key and it generates a cryptographic signature.

Some scammers set up phishing sites that pose as Google and ask for 2SV
codes. Because Google security keys use encryption and verify the legitimacy of
the sites users visit, security keys are less prone to phishing attacks.

To use a security key with Android mobile devices, a user taps the security key
on their Near Field Communication (NFC) device. Users can also find USB and
Bluetooth Low Energy (BLE) options for Android devices. Apple mobile devices need
Bluetooth-enabled security keys.

Google prompt

Instead of generating and entering a 2SV code, users can set up their Android
or Apple mobile devices to receive a sign-in prompt. When they sign in to their
Google Account on their computer, they get a "Trying to sign in?" prompt on
their mobile device. They simply confirm by tapping their mobile device.

Google Authenticator app

Google Authenticator generates single-use 2SV codes on Android or Apple mobile devices. Users generate a verification code on their mobile device and enter it
when prompted on their computer. They can enter it to sign in to a desktop,
laptop, or even the mobile device itself.

Backup codes

In the event a user is away from their mobile device or works in a
high-security area where they can't carry mobile devices, they can use a backup
code for 2SV. Users can generate backup verification codes and print them ahead
of time.

Text message or phone call

Google sends a 2SV code to mobile devices in a text message or voice call.

Recommendations

You'll need to balance security, cost, and convenience in deciding which 2SV
alternatives are best for your company. Regardless of which alternatives you
select, we recommend enabling 2SV enforcement. This makes 2SV mandatory.

Use security keys

We recommend requiring security keys for those employees who create and access
data that needs the highest level of security. You should require 2SV for all
other employees and encourage them to use security keys.

Security keys offer the most secure form of 2SV. They are based on the open
standard developed by Google as part of the Fast Identity Online (FIDO) Alliance. Security keys require a compatible browser on user devices.

Other options

If cost and distribution are factors in your decision, a Google prompt or the
Google Authenticator app are good alternatives. A Google prompt provides a better
user experience, because users simply tap their device when prompted instead of
entering a verification code.

If your users can't carry mobile devices, they can generate printable backup
codes to take into high-security areas.

We recommend against using text messages. The National Institute of Standards
and Technology (NIST) no longer recommends SMS-based 2SV due to the hijacking
risk from state-sponsored entities.

Example

Company A is a large and well-established enterprise company that uses
on-premises apps and authentication. To implement increased security,
lower support costs, and boost scalability, they want to move to Cloud Identity
as their primary IdP.

The company adopted a mandate to roll out an IDaaS offering for managing its
cloud presence, which requires rolling out 2SV and completing compliance by a
certain date. The Infosec team is requiring 2SV for all users.

Company A decides to use Cloud Identity to implement 2SV. They plan to make
security keys mandatory for those users who work on the most sensitive and
business-critical company initiatives—and also for those who access employee
information. This includes executives in all organizations and people
in the engineering, finance, and human resources organizations. All other
employees are required to use 2SV. They can select the 2SV method that
suits them best and are encouraged to use security keys.

To require security keys only for certain groups, IT creates subsets of users
within larger organizations called exception groups. For example, the entire
Marketing organization is required to use 2SV, but only the executives must use
security keys. IT creates an executive group inside each organization, such as
marketing, sales, support, and enforces security keys on those executive groups.